@spiderzz wrote:

前言

逆向很多的入手情况可能需要找到, 通过 cycript + Reveal 找到当前 View 的 ViewController.

但其实我们可以通过 hook 住 objc_msgSend 提供一些思路, 有个问题就是 objc_msgSend 调用过于频繁, 不能所有都打印, 那么可以借助 HookZz 搞一些事情.

可能有人疑问, 这个和 logify 关系.

1. 打印通用 ViewController, 无需具体的类.
2. 显示调用层级.

hook_objc_msgSend

具体细节可以查看代码. Move to hook_objc_msgSend

本来想解析一下参数的, 没解析完, 有兴趣的可以参考 Move to InspectiveC

void objc_msgSend_pre_call(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
    char *sel_name = (char *)rs->general.regs.x1;
    // No More Work Here!!! it will be slow.
    if(sel_name > log_sel_start_addr && sel_name < log_sel_end_addr) {
        // bad code! correct-ref: https://github.com/DavidGoldman/InspectiveC/blob/299cef1c40e8a165c697f97bcd317c5cfa55c4ba/logging.mm#L27
        void *class_addr = object_getClass((void *)rs->general.regs.x0);
        void *super_class_addr = class_getSuperclass(class_addr);
        // KVO 2333
        if((class_addr > log_class_start_addr && class_addr < log_class_end_addr) || (super_class_addr > log_class_start_addr && super_class_addr < log_class_end_addr)) {
            memset(decollators, 45, 128);
            decollators[threadstack->size * 3] = '\0';
            char *class_name = ((const char *(*)(void *))object_getClassName)(class_addr);
            unsigned int class_name_length = strlen(class_name);
            
            // check View
            // if(class_name_length >= 4 && !strcmp((class_name + class_name_length - 4), "View")) {
            //     NSLog(@"thread-id: %ld | %s [%s %s]", threadstack->thread_id, decollators, class_name, sel_name);
            // }

            // check ViewController
            if(class_name_length >= 14 && !strcmp((class_name + class_name_length - 14), "ViewController")) {
                #if 1
                NSLog(@"thread-id: %ld | %s [%s %s]", threadstack->thread_id, decollators, class_name, sel_name);
                #else
                Method method = class_getInstanceMethod(class_addr, sel_name);
                int num_args = method_getNumberOfArguments(method);
                char method_name[128] = {0};
                char sel_name_tmp[128] = {0};
                char *x;
                char *y;
                x = sel_name_tmp;
                strcpy(sel_name_tmp, sel_name);
                if(!strchr(x, ':')) {
                    NSLog(@"thread-id: %ld | %s [%s %s]", threadstack->thread_id, decollators, class_name, sel_name_tmp);
                    return;

                }
                for (int i=2; strchr(x, ':') && i < num_args; i++) {
                    y = strchr(x, ':');
                    *y = '\0';
                    char *type_name = method_copyArgumentType(method, i);
                    sprintf(method_name + strlen(method_name), "%s:", x);
                    sprintfArg(method_name + strlen(method_name), rs, i, type_name);
                    x = y + 1;
                }
                NSLog(@"thread-id: %ld | %s [%s %s]", threadstack->thread_id, decollators, class_name, method_name);
                #endif
            }
        }
    }
}

既然大家都喜欢搞 **Chat, 那以 **Chat 撤回消息举个例子, 整个撤回大概是这么个流程. 这里感谢庆总的 MonkeyDev, 可以快速测试 **Chat, 之后应该会将该工具移植到 MonkeyDev.

因为打印的记录并不是很多, 那么其实在这里已经可以看出具体的逻辑了, 下面可能用 awk 处理了一下更清楚了.

2017-09-05 15:04:29.382925+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController MessageReturn:MessageInfo:Event:]
2017-09-05 15:04:29.392743+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_BaseMsgContentViewController OnMsgRevoked:n64MsgId:SysMsg:]
2017-09-05 15:04:29.392994+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------ [NSKVONotifying_BaseMsgContentViewController GetContact]
2017-09-05 15:04:29.517825+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController MessageReturn:MessageInfo:Event:]
2017-09-05 15:04:29.524797+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
2017-09-05 15:04:29.525046+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]
2017-09-05 15:04:29.525195+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
2017-09-05 15:04:29.525369+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
2017-09-05 15:04:29.526230+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
2017-09-05 15:04:29.526389+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
2017-09-05 15:04:29.526518+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_BaseMsgContentViewController getTipsHeight]
2017-09-05 15:04:29.526577+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
2017-09-05 15:04:29.526628+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
2017-09-05 15:04:29.526740+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
2017-09-05 15:04:29.526839+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
2017-09-05 15:04:29.526897+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_BaseMsgContentViewController getTipsHeight]
2017-09-05 15:04:29.526948+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
2017-09-05 15:04:29.526999+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
2017-09-05 15:04:29.527064+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController isShowHeadImage:]
2017-09-05 15:04:29.527435+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getMessageChatContactByMessageWrap:]
2017-09-05 15:04:29.529299+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
2017-09-05 15:04:29.540957+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:29.607821+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_BaseMsgContentViewController didFinishedLoading:]
2017-09-05 15:04:29.608005+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController ScrollToBottomAnimated:]
2017-09-05 15:04:29.609417+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
2017-09-05 15:04:29.609570+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------------------------------------------- [NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
2017-09-05 15:04:29.609650+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------------------------------------------- [NSKVONotifying_BaseMsgContentViewController getTipsHeight]
2017-09-05 15:04:29.609720+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
2017-09-05 15:04:29.609791+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
2017-09-05 15:04:29.657073+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_NewMainFrameViewController updateSession:]
2017-09-05 15:04:29.661082+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_NewMainFrameViewController reloadSessions]
2017-09-05 15:04:29.670737+0800  **Chat[48799:11942594] [WC] WCSession is not paired
2017-09-05 15:04:29.672210+0800  **Chat[48799:11942594] [WC] -[WCSession onqueue_notifyOfUserInfoError:withUserInfoTransfer:]_block_invoke dropping as pairingIDs no longer match. pairingID (null), client pairingID: (null)
2017-09-05 15:04:29.673883+0800  **Chat[48799:11942591] [WC] no pairingID
2017-09-05 15:04:29.695792+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_NewMainFrameViewController updateStatusBar]
2017-09-05 15:04:29.696051+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------- [NSKVONotifying_NewMainFrameViewController updateSession:]
2017-09-05 15:04:29.699496+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_NewMainFrameViewController reloadSessions]
2017-09-05 15:04:29.755781+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_NewMainFrameViewController updateStatusBar]
2017-09-05 15:04:29.756042+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------ [NSKVONotifying_NewMainFrameViewController updateSession:]
2017-09-05 15:04:29.759650+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_NewMainFrameViewController reloadSessions]
2017-09-05 15:04:29.771645+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.777169+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.782692+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.792774+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.798065+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.803573+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.813564+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.818924+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.824741+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.830379+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.839838+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.844709+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.854562+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.860159+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------------------------------------------ [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.886389+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------- [NSKVONotifying_BaseMsgContentViewController deleteNode:withDB:animated:]
2017-09-05 15:04:29.886569+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------ [NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
2017-09-05 15:04:29.886825+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------ [NSKVONotifying_BaseMsgContentViewController findNodeIndexByLocalId:]
2017-09-05 15:04:29.887270+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------ [NSKVONotifying_BaseMsgContentViewController removeObjectsFromMessageNodeDatas:]
2017-09-05 15:04:29.887521+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_BaseMsgContentViewController getLastSentMsg]
2017-09-05 15:04:29.888255+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_BaseMsgContentViewController updateMessageNodeStatus:]
2017-09-05 15:04:29.888334+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
2017-09-05 15:04:29.919073+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------------------------------------- [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.924847+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------------------------------------------- [NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
2017-09-05 15:04:29.994115+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------ [NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
2017-09-05 15:04:29.994933+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------ [NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
2017-09-05 15:04:29.995051+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
2017-09-05 15:04:29.995115+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_BaseMsgContentViewController getTipsHeight]
2017-09-05 15:04:29.995168+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
2017-09-05 15:04:29.995220+0800  **Chat[48799:11942122] thread-id: 7123647296 | ------------------ [NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
2017-09-05 15:04:30.000301+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:30.000701+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:30.001095+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:30.001367+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:30.001725+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------------- [NSKVONotifying_BaseMsgContentViewController getContentViewY]
2017-09-05 15:04:46.929071+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_NewMainFrameViewController updateAllItemTimeLabel]
2017-09-05 15:05:46.924535+0800  **Chat[48799:11942122] thread-id: 7123647296 | --------------- [NSKVONotifying_NewMainFrameViewController updateAllItemTimeLabel]

其实整个过程在 xcode 的控制台下还是很清楚, 有同学可以再做一下输出的优化, 这里我直接用 awk 处理下.

------------------[NSKVONotifying_BaseMsgContentViewController MessageReturn:MessageInfo:Event:]
---------------------------[NSKVONotifying_BaseMsgContentViewController OnMsgRevoked:n64MsgId:SysMsg:]
------------------------------[NSKVONotifying_BaseMsgContentViewController GetContact]
------------------[NSKVONotifying_BaseMsgContentViewController MessageReturn:MessageInfo:Event:]
------------------[NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
------------------[NSKVONotifying_BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]
---------------------[NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
---------------------[NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
---------------------[NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
------------------------[NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
------------------------[NSKVONotifying_BaseMsgContentViewController getTipsHeight]
---------------------------[NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
---------------------------[NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
---------------------[NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
------------------------[NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
------------------------[NSKVONotifying_BaseMsgContentViewController getTipsHeight]
---------------------------[NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
---------------------------[NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
---------------------[NSKVONotifying_BaseMsgContentViewController isShowHeadImage:]
---------------------[NSKVONotifying_BaseMsgContentViewController getMessageChatContactByMessageWrap:]
---------------------[NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
------------------------[NSKVONotifying_BaseMsgContentViewController didFinishedLoading:]
---------------------[NSKVONotifying_BaseMsgContentViewController ScrollToBottomAnimated:]
------------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
---------------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
---------------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController getTipsHeight]
------------------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
------------------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
------------------------[NSKVONotifying_NewMainFrameViewController updateSession:]
---------------------[NSKVONotifying_NewMainFrameViewController reloadSessions]
notpaired 
droppingas pairingIDs
 
---------------------------[NSKVONotifying_NewMainFrameViewController updateStatusBar]
---------------------------[NSKVONotifying_NewMainFrameViewController updateSession:]
------------------------[NSKVONotifying_NewMainFrameViewController reloadSessions]
------------------------[NSKVONotifying_NewMainFrameViewController updateStatusBar]
------------------------[NSKVONotifying_NewMainFrameViewController updateSession:]
---------------------[NSKVONotifying_NewMainFrameViewController reloadSessions]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
---------[NSKVONotifying_BaseMsgContentViewController deleteNode:withDB:animated:]
------------[NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
------------[NSKVONotifying_BaseMsgContentViewController findNodeIndexByLocalId:]
------------[NSKVONotifying_BaseMsgContentViewController removeObjectsFromMessageNodeDatas:]
---------------[NSKVONotifying_BaseMsgContentViewController getLastSentMsg]
---------------[NSKVONotifying_BaseMsgContentViewController updateMessageNodeStatus:]
------------------[NSKVONotifying_BaseMsgContentViewController findNodeDataByLocalId:]
---------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
---------------------------------------------------------[NSKVONotifying_BaseMsgContentViewController makeCell:indexPath:]
------------[NSKVONotifying_BaseMsgContentViewController getCurContentSizeHeight]
------------[NSKVONotifying_BaseMsgContentViewController getTableViewVisibleHeightWithOrientation:]
---------------[NSKVONotifying_BaseMsgContentViewController getSearchBarHeight]
---------------[NSKVONotifying_BaseMsgContentViewController getTipsHeight]
------------------[NSKVONotifying_BaseMsgContentViewController getAddFriendTipHeight]
------------------[NSKVONotifying_BaseMsgContentViewController getSecurityBannerTipHeight]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
---------------------[NSKVONotifying_BaseMsgContentViewController getContentViewY]
---------------[NSKVONotifying_NewMainFrameViewController updateAllItemTimeLabel]
---------------[NSKVONotifying_NewMainFrameViewController updateAllItemTimeLabel]

Posts: 2

Participants: 2

Read full topic

@CCbird wrote:

屏幕快照 2017-09-06 上午2.02.07.png1179x208 36.6 KB

提示该函数被丢弃，不知道还能不能起作用，如果不能要用到哪个函数

Posts: 3

Participants: 2

Read full topic

@ziacke wrote:

iOS逆向的话有theos.

mac的话，虽然可以用Xcode生成dylib, 但代码写起来比较麻烦。

请问有没有类似的框架？

Posts: 9

Participants: 4

Read full topic

@xiaoleiwei wrote:

1、在越狱手机上登录root
su root
提示incorrect password
但是修改root密码可以成功，太奇怪了
猜测：手机的root权限被关闭了
2、在mac上通过pp助手的ssh通道连接手机root权限，提示：Permission denied, please try again.

各位牛牛，有谁遇到过这种问题吗？折腾了2天了，心力交瘁，遇到过的麻烦告知下。

Posts: 3

Participants: 2

Read full topic

@yh8577 wrote:

mac系统重新安装ssh免密登录iphone失效,重新安装openssh,mac重新设置key都无效

有没有遇到过这种问题

Posts: 2

Participants: 2

Read full topic

@wjk930726 wrote:

需求:

本人最近在研究hook一个Mac程序，通过这几天在论坛的学习已经学会了使用logos语法hookOC方法，但是各位肯定知道这远远是不够的_(:」∠)

所以我现在又开始研究如何hook一个Mac软件的C／C++函数。

通过看了论坛里请问私有函数怎么hook。。。](http://bbs.iosre.com/t/hook/345/10) 、怎么hook C++类的方法？等文章已经查阅了相关资料后，本人开始尝试hook我自己写的一个私有的C方法。

操作步骤:

1. 编写了一个小demo，核心代码如下

#import "ViewController.h"

size_t abcd(int x,int y,int z) {
    return x + y + z;
}

@interface ViewController ()
@property (weak) IBOutlet NSTextField *ll;
@property(nonatomic,assign) size_t length;
@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];

    _length = abcd(1, 2, 3);
}

- (IBAction)cc:(id)sender {
    _ll.stringValue = [NSString stringWithFormat:@"%zu",_length];
}

@end

简单来说，就是点击按钮，软件上会显示一个数字，这个数字是由函数abcd生成，我写死了为6

1. 编写hook代码

   • 我首先写了一个Tweak.xm，内容如下，想要把返回值改为8

%config(generator=internal)

#import <Foundation/Foundation.h>
#include "substrate.h"

/*
size_t abcd(int x,int y,int z) {
    return x + y + z;
}
*/
size_t (*ori_abcd)(int x,int y,int z);
size_t new_abcd(int x,int y,int z) {
    return 8;
}

%ctor {
    NSLog(@"!!!!!!inject success!!!!!!!");

    void *abcd = MSFindSymbol(NULL,"_abcd");
    if (abcd) {
        MSHookFunction(abcd, new_abcd, &ori_abcd);
    }else{
        NSLog(@"!!!!!!inject fail!!!!!!!");
    }
}

• 把要注入的app包和substrate.h放在同一个目录，运行了下面这个脚本

#!/bin/
function getName {
    ls | grep *.app
}
path=$(getName)
temp='temp'
name=${path%.app}

$THEOS/bin/logos.pl ./Tweak.xm > ./$temp.mm
clang -shared -undefined dynamic_lookup -o ./$path/Contents/MacOS/lib.dylib ./$temp.mm
optool install -c load -p @executable_path/lib.dylib -t ./$path/Contents/MacOS/$name

rm -f ./$temp.mm

• 终端显示没有任何异常

Found thin header...
Load command already exists
Successfully inserted a LC_LOAD_DYLIB command for x86_64
Writing executable to Target.app/Contents/MacOS/Target...

• 但是运行就崩溃

2017-09-07 02:00:21.358 Target[10039:636481] !!!!!!inject success!!!!!!!
dyld: lazy symbol binding failed: Symbol not found: _MSFindSymbol
Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
Expected in: flat namespace

dyld: Symbol not found: _MSFindSymbol
Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
Expected in: flat namespace

[1]    10039 abort      

[进程已完成]

1. 然后我又仔细研究了一下请问私有函数怎么hook。。。，将Tweak.xm改为以下内容

%config(generator=internal)

#import <Foundation/Foundation.h>
#include "substrate.h"

/*
size_t abcd(int x,int y,int z) {
    return x + y + z;
}
*/

extern "C" size_t abcd(int x,int y,int z);

size_t (*ori_abcd)(int x,int y,int z);
size_t new_abcd(int x,int y,int z) {
    return 8;
}

%ctor {
    NSLog(@"!!!!!!inject success!!!!!!!");

    MSHookFunction((void *)abcd, (void *)new_abcd, (void **)&ori_abcd);
}

其他同上，最后依然失败，失败信息如下：

dyld: Symbol not found: _abcd
    Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
    Expected in: flat namespace
in ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
[1]    10310 abort      

[进程已完成]

请问各位大大我的姿势哪里出错了，感觉应该可以成功的啊_(:」∠)

Posts: 3

Participants: 3

Read full topic

@Young wrote:

static int32_t arm_thumb_bl(int32_t immediate)
{
    // The value doesn't encode the low bit (always zero) and is offset by
    // four. The 32-bit immediate value is encoded as
    //   imm32 = SignExtend(S:I1:I2:imm10:imm11:0)
    // where I1 = NOT(J1 ^ S) and I2 = NOT(J2 ^ S).
    // The value is encoded into disjoint bit positions in the destination
    // opcode. x = unchanged, I = immediate value bit, S = sign extension bit,
    // J = either J1 or J2 bit
    //
    //   BL:  xxxxxSIIIIIIIIII xxJxJIIIIIIIIIII 0xF000D000
    //
    // Note that the halfwords are stored high first, low second; so we need
    // to transpose the fixup value here to map properly.
    uint32_t offset = (immediate - 4) >> 1;
    uint32_t S = (offset & 0x800000) >> 23;
    uint32_t I1 = (offset & 0x400000) >> 22;
    uint32_t J1 = (I1 ^ 0x1) ^ S;
    uint32_t I2 = (offset & 0x200000) >> 21;
    uint32_t J2 = (I2 ^ 0x1) ^ S;
    uint32_t imm10 = (offset & 0x1FF800) >> 11;
    uint32_t imm11 = (offset & 0x000007FF);

    uint32_t Binary = 0;
    uint32_t firstHalf = (((uint16_t)S << 10) | (uint16_t)imm10);
    uint32_t secondHalf = (((uint16_t)J1 << 13) | ((uint16_t)J2 << 11) | (uint16_t)imm11);
    Binary |= secondHalf;
    Binary |= firstHalf << 16;
    Binary |= 0xF000D000;

    uint32_t Byte0 = (Binary & 0xFF000000) >> 8;
    uint32_t Byte1 = (Binary & 0x00FF0000) << 8;
    uint32_t Byte2 = (Binary & 0x0000FF00) >> 8;
    uint32_t Byte3 = (Binary & 0x000000FF) << 8;

    Binary = Byte0 | Byte1 | Byte2 | Byte3;
    return Binary;
}

static int32_t arm_thumb_blx(int32_t immediate)
{
    // The value doesn't encode the low two bits (always zero) and is offset by
     // four (see fixup_arm_thumb_cp). The 32-bit immediate value is encoded as
     //   imm32 = SignExtend(S:I1:I2:imm10H:imm10L:00)
     // where I1 = NOT(J1 ^ S) and I2 = NOT(J2 ^ S).
     // The value is encoded into disjoint bit positions in the destination
     // opcode. x = unchanged, I = immediate value bit, S = sign extension bit,
     // J = either J1 or J2 bit, 0 = zero.
     //
     //   BLX: xxxxxSIIIIIIIIII xxJxJIIIIIIIIII0
     //
     // Note that the halfwords are stored high first, low second; so we need
     // to transpose the fixup value here to map properly.
    uint32_t offset = (immediate - 2) >> 2;
    uint32_t signBit = (offset & 0x400000) >> 22;
    uint32_t I1Bit = (offset & 0x200000) >> 21;
    uint32_t J1Bit = (I1Bit ^ 0x1) ^ signBit;
    uint32_t I2Bit = (offset & 0x100000) >> 20;
    uint32_t J2Bit = (I2Bit ^ 0x1) ^ signBit;
    uint32_t imm10HBits = (offset & 0xFFC00) >> 10;
    uint32_t imm10LBits = (offset & 0x3FF);

    uint32_t Binary = 0;
    uint32_t firstHalf = (((uint16_t)signBit << 10) | (uint16_t)imm10HBits);
    uint32_t secondHalf = (((uint16_t)J1Bit << 13) | ((uint16_t)J2Bit << 11) | ((uint16_t)imm10LBits) << 1);
    Binary |= secondHalf;
    Binary |= firstHalf << 16;
    Binary |= 0xF000C000;

    uint32_t Byte0 = (Binary & 0xFF000000) >> 8;
    uint32_t Byte1 = (Binary & 0x00FF0000) << 8;
    uint32_t Byte2 = (Binary & 0x0000FF00) >> 8;
    uint32_t Byte3 = (Binary & 0x000000FF) << 8;

    Binary = Byte0 | Byte1 | Byte2 | Byte3;
    return Binary;
}

Posts: 2

Participants: 2

Read full topic

@leon_wang wrote:

第一处不解之处。
是Mac sysctl 反调试：
在Mac在创建一个command line程序。内容如图：

Screen Shot 2017-09-07 at 21.27.29.png1846x1518 462 KB

然后Command+R运行。一切如期被退出了。

Screen Shot 2017-09-07 at 21.29.06.png2212x1480 461 KB

到目前为止一切似乎都正常。然而当取出编译好的test.app 到桌面运行。然后用lldb调试则诡异的可以调试了。

Screen Shot 2017-09-07 at 21.31.42.png1952x1138 474 KB

第二处不解之处：
是 Mac sysctl 反反调试：
【使用rd_route这个在Mac上hook C函数的库】编写了如下代码用于解除sysctl的反调试：

Screen Shot 2017-09-07 at 21.34.21.png1878x898 127 KB

先上一个图证明要hook的程序是加了sysctl反调试的

Screen Shot 2017-09-07 at 21.36.13.png1928x1412 314 KB

然后如下图附加生成的动态想去解开sysctl，然而切奔溃了。

Screen Shot 2017-09-07 at 21.38.18.png1604x1236 184 KB

请问大家这两个问题该如何解决呢？

Posts: 2

Participants: 1

Read full topic

@anos wrote:

一个CustomScrollView类继承于UIScrollView，PageScrollView中定义了属性CGFloat customScale，

拦截CustomScrollView类的某一个方法访问CGFloat customScale = CHIvar(self,_customScale, CGFloat); 是正常的，

但是访问CGFloat zoomScale = CHIvar(self,_zoomScale,CGFloat);就报错，

zoomScale是UIScrollView的属性，是因为这个原因不能访问吗？把self改成super或者Super都说未定义，有人知道怎么改吗？

Posts: 2

Participants: 1

Read full topic

@TTKD wrote:

在项目里面由于需要用到mach_absolute_time()函数，其函数在mach/mach_time.h里面。在编译的时候报错了，由于是在动态库中调用，项目估计xcode没有帮默认引用到相关的系统库，想问一下各位小伙伴知道使用mach_time.h需要引入什么系统库吗？感谢！！

Posts: 2

Participants: 2

Read full topic

@xiaoleiwei wrote:

最近在跟着书上做实战，做到MobileNotes拷贝到OSX这块的时候，发现/var/mobile/Containers/Data/Application/A19BBBAB-3518-47E8-896E-6C62B096193B/Documents/这个目录下是空的。

98988F99-59FE-42D9-9287-CBA6B0748AB8.png2544x448 201 KB

手机：iPhone 6S， 10.2
麻烦路过的牛牛指点一下

Posts: 1

Participants: 1

Read full topic

@iosre007 wrote:

在 设置-通用-语言与地区 里可以手动选择地区和iPhone语言，如果我想用代码实现这个过程，请问要怎么做呢？
即实现下面两个方法：
-(void)changeSysLanguageTo:(NSString*)language{}
-(void)changeSysRegionTo:(NSString*)region{}

Posts: 1

Participants: 1

Read full topic

@qin wrote:

或者其他越狱工具也可以 或者其他插件实现这个功能也可以

Posts: 6

Participants: 4

Read full topic

@qin wrote:

while (true) {
@try {
[[NSFileManager defaultManager] subpathsAtPath:filePath];
} @catch (NSException *exception) {

    }
}

我发现再xcode调试的时候如果开个线程一直执行以上方法内存是一直增长的 这个问题是怎么回事 有没有解决办法 或者我哪里写错代码了

Posts: 4

Participants: 2

Read full topic

@xhios wrote:

想了解一下“虚拟定位”这个软件是怎么做的修改机型，但是由于知识有限，分析不出来是怎么做到的，以下是我自己的粗略分析.
首先下载了deb解包来导出头文件，二进制文件扔进Hopper分析，使用FLEX找到对应的控制器，根据Hopper代码结合起来，大致分析了工作原理，首先软件会在/var/mobile/Library/Preferences/目录下生成一个otrlocation.app.85819.net.plist文件，文件内容如下

WX20170909-161910.png799x136

address_switch和switch都是控制开关，f.c这个字典里装的就是打开了修改机型和位置的App的包名和内容
下面这个好像就是改机型的方法，因为知识问题，我只能看出大致流程，先获取系统的机型来比较，如果不一样，就用plist中设置的机型将其替换，但是这里我有个疑虑，就是这个替换的问题，strncpy(stack[2022], r1, r0);这个方法可以直接把系统的给替换掉？为此我自己写了个Demo测试

    struct utsname systemInfo;
    uname(&systemInfo);
    NSString *platform = [NSString stringWithCString:systemInfo.machine encoding:NSASCIIStringEncoding];

我用上面的方法获取的机型，用“虚拟定位”对我这个demo进行修改是成功了的，我的想法是他Hook了系统的utsname.h来改的，但是找不出对应的操作方法！希望大神能给点思路和指点一下！

WX20170909-162252.png1556x956

Posts: 1

Participants: 1

Read full topic

@zoumadeng wrote:

团购IDA 7.0 pro 有需要的加qq群:539357993

Posts: 1

Participants: 1

Read full topic

@sysprogram wrote:

1. lldb 怎么修改汇编代码指令啊？
   比如将要执行的这个 beq 0x2c1c2，想把他改成 nop

-> 0x2c196 <+1926>: beq 0x2c1c2 ; <+1970>
0x2c198 <+1928>: movw r4, #0x51d4
0x2c19c <+1932>: movt r4, #0x1
0x2c1a0 <+1936>: add r4, pc

1. lldb 有什么办法可以把代码的机器码也显示出来，就像 ollydbg 代码窗口是会显示对应汇编的机器码。

Posts: 2

Participants: 2

Read full topic

@Daybreak wrote:

我在ios-runtime-headers里查看私有函数，想用cycript测试函数的效果，但是不知道该函数所属的类属于哪个进程的，请问怎么找出对应的进程让cycript勾住呢

Posts: 2

Participants: 2

Read full topic

@723443855 wrote:

鉴于论坛大量涌入新人且提问缺乏必要信息导致问题无法解决，目前暂行提问模版机制。试运行期间内新帖没有按照这个模版发帖将导致 锁帖／删帖／封号
(除非有原因,某些问题无法分类进下面的分支。这一点完全靠管理员唯一指定，大多数普通问题请老实按照下面的分类）

标**的为可选项

需求: (请勿使用 “我的需求是a但是我认为b可以解决a所以我来问问b” 这种提问模式，会造成误导）
**日志: (例如iOS系统的日志，OS X上相关操作的日志，etc)
**代码: (如果项目本身代码不方便发布请提供最小问题重现代码)
操作步骤: (请详细描述自己每步做了什么操作)
** 任何其他描述: (描述问题的现象，等等)
** 环境: (系统版本，安装的相关工具，等操作)

Posts: 1

Participants: 1

Read full topic

@Benight_iosre wrote:

还有个问题，就是iOS的app可以通过你想看到所有或者大部分的【源码】？有没有这个可能

Posts: 5

Participants: 5

Read full topic